capaths questions
Matt Crawford
crawdad at fnal.gov
Mon May 17 18:24:46 EDT 2004
On May 17, 2004, at 15:56, Sam Hartman wrote:
> Derek> True, but the destination KDC does get to enforce it (as
> Derek> you suggest later).
>
> And should not do so. The destination kdc should leave the policy
> checked flag clear and the application server should reject.
I've been following the thread quietly until this point, but now I have
to disagree. I want to be able to have my FNAL.GOV deny the service
ticket if I choose to, or leave it up to the service to deny access.
There are some times when we have to convince outsiders that certain
policies are enforced, and claiming that a hundred sysadmins have
properly configured a hard-to-audit rule on thousands of hosts is a
weak case.
More information about the krbdev
mailing list